CyberEye

Securing the human endpoint

Endpoint protection has become a major focus for agency security efforts over the past few years, as mobile devices proliferate and the bring-your-own-device movement grows as a major factor in government communications, even when agencies remain leery about it. But is it the device or the employee using it that’s the greatest threat?

Organizations such as the Defense Information Systems Agency have made their concerns over endpoint security clear. Early in 2015, DISA put out a request for information on next-generation solutions, saying the endpoint had evolved “to encompass a complex hybrid environment of desktops, laptops,

mobile devices, virtual endpoints, servers and infrastructure involving both public and private clouds.”

That complicated soup of devices and technologies is defeating agencies’ attempts to bolster their overall security, according to a recent report. Federal IT managers surveyed by MeriTalk estimated that just under half of the endpoints that can access agency networks are at risk, with nearly one-third saying they had experienced endpoint breaches due to advanced persistent threats or zero-day attacks.

As DISA pointed out in its RFI, traditional signature-based defenses can’t scale to cover agencies’ sprawling endpoint infrastructures, especially when exacerbated by the growth of virtualization.

However, even if agencies could tie down the physical security of endpoints — and the MeriTalk survey shows they are failing at that — there’s still the matter of employees and their actions. It’s no use having good endpoint security if the behavior of the user negates that.

The Ponemon Institute made that point at the beginning of 2015 in its annual look at the state of endpoint security. That study concluded fairly bluntly that negligent employees who do not comply with security policies are seen “as the greatest source of endpoint risk.”

Some of the problem is based on the sheer demand for endpoint device connectivity that is overwhelming IT departments. Over two-thirds of the respondents in the Ponemon study said their IT groups couldn’t provide the support for that, while the same number admitted endpoint security has become a far more important part of overall IT security.

Bookending that Ponemon report is a study published a few days ago by Ping Identity, which surveyed employees at U.S. enterprises and concluded that “the majority of enterprise employees are not connecting the dots between security best practices they are taught and behavior in their work and personal lives.”

Employees are doing some things really well to keep data secure, according to Ping, and following good security practices, such as creating unique and strong passwords. But then they reuse those passwords across personal or work accounts and share them with familiar colleagues.

Now, take the enterprise infrastructure even further to include partner organizations that have network access, such as service providers or, in the case of government agencies, contractors. No matter how bulletproof the prime organization’s security, if those partners have holes in their endpoint security, attackers will find and exploit them.

That was the reason behind some of the biggest security breaches of the past two years.

All of which seems to beg the question of what is meant by endpoint security. If organizations in 2016 bear down on securing their endpoints — which they will have to do — just what exactly is an endpoint? Is it the device, virtualized or not, or does it come down to the user? There are some good endpoint security solutions that have been developed, but how will they take the human into account?